When it comes to data privacy rights and larger financial market participants, the Consumer Financial Protection Bureau’s (CFPB) latest Unified Agenda has some major implications.
For a deep-dive into the CFPB’s efforts to revise its Personal Financial Data Rights final rule, implementing Sec. 1033 of the Dodd-Frank Act, and its rules related to larger market participants, Dodd Frank Update consulted Mike G. Silver, who spent more than 12 years as one of the CFPB’s top regulatory attorneys.
Data privacy rulemaking
The CFPB’s Sec. 1033 rule also has been the subject of legal challenges and intense scrutiny from trade groups representing different corners of the financial sector, as well as from consumer advocates.
The CFPB released an advance notice of proposed rulemaking (ANPR) in August, seeking stakeholder feedback about key elements of the rule, which was finalized in November 2024. The issues raised in the ANPR, along with the CFPB’s shifting legal stances under the Trump administration since the rule moved to the final stage, offer insight about what changes could be on the table for the measure.
“The bureau has changed its position on the rule a couple of times this year and it’s unclear what its ultimate policy goal is for the rule or whether it’s actually changed, even from a few months ago,” Silver said. “But, they are doing it the appropriate way, in my view, by having a rulemaking process to reconsider the rule, and they have identified, in both their litigation motions, the issues that I believe they want to focus on in any such reconsideration.”
Silver described the industry reaction to the rule as “diverse,” from the bureau’s initial notice-and-comment period on the Section 1033 rule in October 2023 through its ongoing legal battle in federal court.
Numerous trade organizations representing traditional banks and credit unions initially expressed cautious support for certain aspects of what eventually became known as the “data privacy rule” or “open banking rule” during the initial notice-and-comment stages of the rulemaking process. However, many were disappointed by the CFPB’s perceived failure to address their concerns about potential third-party risk factors, liability allocation, ability to recoup fees and data security issues, which remain major sticking points for the industry.
Meanwhile, fintech companies and data aggregators, represented by the Financial Technology Association (FTA), have largely championed certain concepts contained within the rule, which many view as a significant step toward establishing an open banking framework in the U.S.
The dispute over the rule’s efficacy has become particularly complicated since the Trump administration took over operations at the CFPB and decided to withdraw its legal defense in a lawsuit challenging the rule in the U.S. District Court for the Eastern District of Kentucky. After the CFPB decided to side with arguments for vacating the rule posed by the Bank Policy Institute and the Kentucky Bankers Association, the FTA filed a motion to intervene, asserting the rule was critical to providing consumers the right to control their personal financial data and promoting competition and innovation.
“There’s always been this tension because the underlying policy issues [in the 1033 rule] are interesting and complicated,” Silver said. “You have what are very rapidly becoming entrenched positions among data aggregators, data providers and data recipients. They have very different stakes in the success of this rule. To some extent, it’s like a proxy battle for fintechs vs. banks. The fintechs seem to be on the side of having a rule and having guardrails whereas the largest banks have taken the oppositional view.”
Based on points raised in the bureau’s June motion for summary judgment in the case, Silver said the agency seems to have identified “three or four buckets of issues” the current administration believes are the primary flaws with the final rule. These include issues concerning the CFPB’s authority to under Sec. 1033 to allow access to authorized third parties, as opposed to only individual consumers.
“Then there’s the question about fees and whether the data providers can recoup any fees, either at cost or any profits for providing the data,” Silver said. “There are also issues concerning third-party risk management and the allocation of liability if there are issues once the data is released through the aggregators to the recipients.”
The rule’s critics also have raised concerns that the measure does not adequately address security and privacy protocols necessary to ensure consumer data is properly protected. Rather than addressing these issue within the rule, the bureau established a protocol for designating standard-setting bodies to create guardrails for covered data providers and aggregators to adhere to.
Larger participant rules
Months following the overturning of the CFPB’s larger participant rule for technology firms operating in the financial markets, regarding general use digital payment applications via the Congressional Review Act, the bureau now has four separate “prerule stage” line items with the words “Defining Larger Participants” in the titles. These pertain to various financial markets – consumer debt collection, consumer reporting, international money transfers and automobile financing.
Silver said he expects the bureau to focus on the topic of raising the thresholds for entities to be covered by each of these larger participant rules to shrink the pool of entities subject to CFPB supervision
“They’re basically considering changing the thresholds for who is treated as a larger participant in these markets to make it a smaller pool of companies that would be supervised as such,” Silver said. “Some of them may be based on a raw number of parties while some of them may be based on total revenues. The uniform theme is they are trying to change the thresholds such that they apply this treatment to companies that actually should be treated as larger participants.”
This approach would be entirely consistent with the Trump administration’s approach to supervision, Silver said, referring to the CFPB’s memorandum detailing its plans to deprioritize enforcement and supervision earlier this year at the same time it sought to enforce a reduction in force (RIF) order to cut its staff by approximately 90 percent.
“They wanted to de-emphasize a number of areas and to reduce supervisory events by 50 percent and of course, the RIF that they tried to execute would have had a pretty dramatic effect on the supervision offices,” Silver said. “Their overall policy objective at this moment appears to be more narrowly covering supervision functions from both a staff perspective and a policy perspective.”
Aside from its larger participant designation authority, the bureau has separate authority under Sec. 1024 of Dodd-Frank to designate individual companies for supervision based on a standard in the statute related to a risk determination, he noted. This is also separate from its authority to supervise companies based on asset size or that are enumerated in other industries, such as payday lenders.
“It’s basically like a default mechanism to get at other nonbank companies that don’t fall under other categories,” Silver explained. “They had never done a designation of a company until Rohit Chopra became CFPB director.”
The bureau used this authority to designate World Acceptance Corp. and Google Payment Corp. for bureau supervision – both of which came with considerable controversy. The bureau withdrew both companies’ designation statuses after the Trump administration took over.
The bureau passed procedural rules in 2022 and 2024, which ultimately allowed it to make the designations public if a company contested its designation. The bureau published a notice in May seeking to undo those procedural changes.
“They want to make the process non-public again,” Silver said. “Before those procedural changes, the entire designation process, from start to finish, was treated as confidential supervisory information. They didn’t just change the rules, in my view. They changed the underlying dynamic between the companies and they kind of created this dynamic where the bureau now had a strong incentive for companies to agree to bureau supervision. They basically said, if you agree to voluntary supervision, we’re not going to publicize it. But, if you contest it and then lose the contestation, it would be made public. Well, that’s a pretty heavy incentive to make the company say, ‘Oh well, let’s just agree to do it ‘voluntarily.’”
Before any finalized rule can be rescinded or significantly revised, it must undergo a notice-and-comment period. Based on the agenda in its current form, the industry will have several opportunities to voice their opinions on a variety of rulemaking proposals in the months ahead.
For more Dodd Frank Update coverage of matters related to data privacy and the CFPB’s efforts to implement Sec. 1033 of the Dodd-Frank Act, visit the “Data Privacy Vault” – a resource library holding all of our coverage of every volley in the ping-pong match between the finance industry and regulators over how to be protect consumers’ sensitive data in the rapidly evolving virtual financial marketplace.